This website uses cookies to store information on your computer. Some of these cookies are used for visitor analysis, others are essential to making our site function properly and improve the user experience. By using this site, you consent to the placement of these cookies. Click Accept to consent and dismiss this message or Deny to leave this website. Read our Privacy Statement for more.
Qual Power
Blog Home All Blogs
Search all posts for:   

 

View all (102) posts »
 

California Consumer Privacy Act (CCPA)

Posted By Katrina Noelle, Tuesday, February 25, 2020

California Consumer Privacy Act (CCPA)

The information provided in this blog post does not, and is not intended to, constitute legal advice. Please consult with your own legal counsel on your situation.

California Consumer Privacy Act (CCPA)
https://kofirm.com/ccpa-california-consumer-privacy-act-need-to-know

 

What is CCPA?
The California Consumer Privacy Act (CCPA) is a new state privacy law that impacts most market research and data analytics companies, and covers almost all consumer data. The law applies to almost any kind of data, and in any form, not just to electronic/online data.

GDPR vs. CCPA
CCPA’s goal is to give California residents greater control over how organizations collect, use and disclose their personal data. Although there are some similarities with General Data Protection Regulation (GDPR), CCPA also introduces additional rights for consumers such as the right to opt out from allowing a business to sell their personal data. Certain CCPA requirements overlap with the existing GDPR requirements, but several policies, processes and systems will still need updating to address differences between the two laws.

Who does CCPA apply to?
The International Association of Privacy Professionals (IAPP) estimates that the new law “will apply to more than 500,000 U.S. companies, the vast majority of which are small- to medium-sized enterprises.”

Basically, CCPA covers for-profit companies “that collect consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

  1. Have greater than $25 million in annual gross revenue;
  2. Annually handle personal information for 50,000 consumers; or
  3. Derive half of annual revenue from selling consumers’ personal information.

The CCPA only imposes obligations on a business and not on service providers directly. As defined under the CCPA, a “service provider” is a for-profit entity “that processes information on behalf of a business.” If your company does not meet the requirements above to qualify as a business, your company may still be subject to the vendor management obligations that a business is required to impose on its service providers.

EXAMPLE: a company that falls within the scope of the CCPA must require by contract that their suppliers that process  information on behalf of the company only retain, use, or disclose such personal information for the specific purpose of performing the services as specified in the contract.

Because many marketing research and data analytics companies (as well as our clients) will be covered by CCPA, it’s something to look into no matter where you are based. The only way to really avoid this law will be for a company to have nothing to do with data on a California resident (including a California employee, independent contractor or participant). That’s hard to avoid when doing nationwide research projects!
 
It’s tempting to think that your company is “too small to worry.” But while some small companies may not be covered, it still will be hard for them to escape the law’s reach.

EXAMPLE: a small recruiting company that recruits less than 50,000 individuals for other organizations’ studies would be subject to this law if recruitment (the sale of consumers’ personal contact and qualifications for a study to the recruiter’s clients) makes up half or more of its annual revenue.

What do I do to comply?
Businesses that fall under the scope of the CCPA will need to update data practices and procedures in order to comply with certain CCPA disclosure requirements. Businesses that fail to comply with the CCPA may be subject to “monetary penalties, regulatory enforcement actions, and private rights of action.”

Based on conversations with experts I’ve spoken to on the topic, there are a few things you should do/consider to ensure you are CCPA compliant:

  1. Meet with your lawyer to determine if you need to be CCPA compliant and what steps you need to take in order to do so.
  2. Consider updating your Privacy Policy.
  3. Consider updating your operating agreements, written information security program (WISP) and/or incident response plan (IRP).
  4. Review your company’s agreements with service providers to be sure you are up to date with their requirements.

Note that since the law went into effect on Jan. 1, 2020, there will be updates to it; keep abreast of changes here: https://oag.ca.gov/privacy/ccpa or subscribe to the mailing list here: https://oag.ca.gov/privacy/ccpa/subscribe

 

Katrina is principal of KNow Research, a full service insights consultancy specializing in designing custom qualitative insights projects for 16+ years to unlock insights about brands and target audiences. She is also co-founder of Scoot Insights, whose trademarked ScootTM Sprint approach helps decision-makers choose the right direction.

https://www.linkedin.com/in/katrinanoelle/

 

Tags:  CCPA  data  QRCA Digest 

Permalink | Comments (0)
 
Contact Us

QRCA
1000 Westgate Drive, Suite 252
St. Paul, MN 55114

phone:  651. 290. 7491
fax:  651. 290. 2266
info@qrca.org

Privacy Policy | Email Deliverability | Site Map | Sign Out
© 2020 Qualitative Research Consultants Association

This website is optimized for Firefox and Chrome. If you have difficulties using this site, see complete browser details.